orcus | cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768

General

Target

cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
Size

142.0MB
MD5

8ec31f21bbd85409821e9ff46905de10
SHA1

73d0917083d30de5c3ef9be8ee9f89911bbba77f
SHA256

cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768
SHA512

a95a59bdf0b8aa2cdbe6089c7a71935c35151757d8624e7e89b4ebe8b9709436c13d40003f9fd882269d67ea0908b19e13f08d1db92159064f5e1d2b968f5ec1
SSDEEP

12288:jvQljshUuGBupksQ7dG1lFlWcYT70pxnnaaoawt7ueuRA8rZNrI0AilFEvxHvBMn:qsw4MROxnFd9vrZlI0AilFEvxHiCS

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.0.150:8848

Mutex

cc95a8263dac4c43869aeacd03467e30

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Windows Update Check
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/5916-53-0x00000000000A0000-0x000000000018A000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe

Executes dropped EXE 2 IoCs

pid	Process
5916	Orcus.exe
1660	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File created	C:\Windows\assembly\Desktop.ini	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5916	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5916	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5916	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5916	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4320	3544	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	91
PID 3544 wrote to memory of 4320	3544	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	91
PID 4320 wrote to memory of 4548	4320	csc.exe	93
PID 4320 wrote to memory of 4548	4320	csc.exe	93
PID 3544 wrote to memory of 5916	3544	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	98
PID 3544 wrote to memory of 5916	3544	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
"C:\Users\Admin\AppData\Local\Temp\cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3nmd24k.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4429.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4428.tmp"
    3⤵
    PID:4548
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5916

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4429.tmp

Filesize
1KB

MD5
1419bd9088eae5d5d13adc7c43deeb61

SHA1
1dbae8110849f132a63eda52d89f8d38e845a48b

SHA256
6960c473db850d42df6bab1f1a6e2251aee803b0492da4dd0f1034188ce36f4b

SHA512
7a3b089bcd9be25ac222892daaf42cdbe0689ac2b050fd1d53ea5f5fa2fd689186856adbb38294947a9c7414a2e5066ea1d83e8055980c1a0532b30e4627fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3nmd24k.dll

Filesize
76KB

MD5
42d4fd02d84eabf091c0d5fbd7135a8e

SHA1
55d5608bf109cf2dd946d20b95d59f2d37487cc2

SHA256
2b2350ddc936fd1b5da1bbbc243c74e2026215b0674b4811f592d3c0204a8cba

SHA512
30368ac5947b2167c33ffd421a0515a80695e91cb76d3655999483164947a963582d096fcbe7b0c0a6730a4b438a56fc834578c7aa65c9acbc17b2fe3a5ac620

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_cc95a8263dac4c43869aeacd03467e30.dat

Filesize
1KB

MD5
b064d0751b43723cc3b9b3d2de1d3e77

SHA1
7e0004fad5a472436e18f3405a0a31fab8eed4cc

SHA256
fa8631e0fce981271c3fb91e4c2ae0acef03f6a6ef4f3b578588c3d2e9cd3f2f

SHA512
58ae1b28f6a3e3c3f72f536f4887fa766cd3ed08a0a292fa3057ea64f2a0aa3d700e43417792b2f1a6e61f0aabd9aa9b50dc21d1eeae7d19451a0630441491a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4428.tmp

Filesize
676B

MD5
d4ec4c8fcd2f67ef2c0e337f0e1caccf

SHA1
e2529ef83e8e3ddd30e9a6d42da6870c85994bba

SHA256
e7ac8c7d15495fcec2ae83bf2091bce568ed7821bf720d998a7466dbfa8b8ada

SHA512
1ddb7984f521219cf7332d4165c855bf874530590fe3baa646fc47c4eaa27cb740418cc6686d6920d8776ccbc2408c69ddbc5e12088dce0fbde6fce8f42d473a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r3nmd24k.0.cs

Filesize
208KB

MD5
a2a50cde3f55fbde78f054fdbc726cc7

SHA1
172d97dec45d5df266ba671db9d3951b5825ac3e

SHA256
bc3e9c129cf8098394f15bd76d8470d12d9e48bc6b440ffb11e76fbddce6174f

SHA512
9a3362c99927294c77e13dce3bdba361f6faf32468c0ed27878cf26e5e9b6570650bf5a988db84ef373f2bbda94c3e568f3ddd1ff26bb0561c4244fbe4408029

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r3nmd24k.cmdline

Filesize
349B

MD5
883c4104c13ca1cfd6736345c58342f7

SHA1
d911ef1700d9cb111439adb81d7d1214b7a341ca

SHA256
7dbfd4af4535dec1e5cf8ca7c601e43289de833d11f470ab00d9c7bbb12b631f

SHA512
28b0efc4ecea0e908ff38f32a358db98786e8c995cd8c15d8c8ad56dd0ea8e96263cf651cd343101474e52b579479c91bccb6d90c5ea675d083cede72b81a98c

Download Submit
memory/3544-8-0x000000001C0F0000-0x000000001C18C000-memory.dmp

Filesize
624KB

Download
memory/3544-26-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/3544-0-0x00007FFD84945000-0x00007FFD84946000-memory.dmp

Filesize
4KB

Download
memory/3544-7-0x000000001BC20000-0x000000001C0EE000-memory.dmp

Filesize
4.8MB

Download
memory/3544-6-0x000000001B690000-0x000000001B69E000-memory.dmp

Filesize
56KB

Download
memory/3544-3-0x000000001B500000-0x000000001B55C000-memory.dmp

Filesize
368KB

Download
memory/3544-23-0x000000001C7B0000-0x000000001C7C6000-memory.dmp

Filesize
88KB

Download
memory/3544-2-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/3544-25-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/3544-51-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/3544-27-0x000000001CBA0000-0x000000001CC02000-memory.dmp

Filesize
392KB

Download
memory/3544-28-0x000000001D500000-0x000000001DABA000-memory.dmp

Filesize
5.7MB

Download
memory/3544-29-0x000000001DAC0000-0x000000001DBB0000-memory.dmp

Filesize
960KB

Download
memory/3544-30-0x000000001CD00000-0x000000001CD1E000-memory.dmp

Filesize
120KB

Download
memory/3544-31-0x000000001DBB0000-0x000000001DBF9000-memory.dmp

Filesize
292KB

Download
memory/3544-32-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/3544-33-0x000000001DC90000-0x000000001DD00000-memory.dmp

Filesize
448KB

Download
memory/3544-34-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/3544-1-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/4320-14-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/4320-21-0x00007FFD84690000-0x00007FFD85031000-memory.dmp

Filesize
9.6MB

Download
memory/5916-50-0x00007FFD811A3000-0x00007FFD811A5000-memory.dmp

Filesize
8KB

Download
memory/5916-53-0x00000000000A0000-0x000000000018A000-memory.dmp

Filesize
936KB

Download
memory/5916-54-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/5916-55-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/5916-56-0x00000000025A0000-0x00000000025DC000-memory.dmp

Filesize
240KB

Download
memory/5916-57-0x000000001B390000-0x000000001B49A000-memory.dmp

Filesize
1.0MB

Download
memory/5916-60-0x000000001AEC0000-0x000000001AF0E000-memory.dmp

Filesize
312KB

Download
memory/5916-62-0x000000001AF50000-0x000000001AF68000-memory.dmp

Filesize
96KB

Download
memory/5916-63-0x000000001BBD0000-0x000000001BD92000-memory.dmp

Filesize
1.8MB

Download
memory/5916-64-0x000000001B380000-0x000000001B390000-memory.dmp

Filesize
64KB

Download
memory/5916-66-0x00007FFD811A3000-0x00007FFD811A5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing